Thanks for the clarification. This also us helps exlpain to management the level of urgency, or lack of, to move on this upgrade.
-----Original Message-----
From: LISTSERV site administrators' forum on behalf of Francoise Becker
Sent: Thu 5/26/2005 3:31 PM
To: [log in to unmask]
Cc:
Subject: Re: Which WA should I use for 1.8e system
From the security advisory:
> - Support for version 1.8e (released May 22, 2002) was
> discontinued December 31, 2004. No patches are available for version
> 1.8e or older.
I would like to point out that NGS will not reveal the nature of the
vulnerability until August, so you have plenty of time to upgrade to
14.3.
The vulnerability is very limited in scope, and it would take a brute
force approach of trying every single WA function and parameter for a
hacker to find it without NGS's help. There is very little payback
for the hacker because normally WA is run as an unprivileged user.
And in one case, the hacker even needs list owner privileges to
exploit the vulnerability.
The vulnerability is "high risk" if you allow your CGIs to run under
a privileged account and/or you have a FAT or FAT32 disk on Windows.
If your security is locked down tight, there's not much a hacker can
do using this vulnerability. If your security is loose, then there
are probably easier ways for a hacker to break into your system.
The biggest risk is if there is another vulnerability somewhere else
on the system that can be exploited by an unprivileged user. That is,
there's not much that a hacker can accomplish directly through a
properly configured WA, but by granting unprivileged access, the
vulnerability may open a door to a vulnerability in other software.
-----------
Rather than trying to retrofit a 14.3 WA with a 1.8e LISTSERV, here
are my recommendations for sites that are still at 1.8e and for some
reason or another cannot upgrade to 14.3 yet:
- Make sure your security is locked tight. Don't give "everyone"
access to any folders on your server. Make sure your web server is
running as an unprivileged user, give that user read-only access to
only the files in your web tree, and to the files required by
LISTSERV (see the admin manual).
- Only the archives\upload folder should give write-access to the
web unprivileged user. If you want to be extra careful, remove that
write-access: bulk operations and uploads will not be possible, but
it's better to do that than to have all sorts of odd things break by
using a 14.3 wa with LISTSERV 1.8e. Anyway, it's only a temporary
measure until you can upgrade to 14.3. Note: Maestro needs that
upload directory to send jobs: if you use Maestro, I don't recommend
this.
- If you use Maestro mostly and don't use the WA interface much, then
disable the WA interface until you have a chance to upgrade. You need
LISTSERV 14.3 to upgrade to Maestro 2.0 anyway.
- Upgrade to 14.3 at your own pace. If you can upgrade today, great.
If you can't, don't panic -- just be more vigilant until you can
(e.g. keep a close eye on your firewall and internet server logs).
Upgrade as soon as you can, but don't make things worse by rushing it
and trying unsupported configurations.
Your mileage may vary. If you're a sweet target for hackers or have
high security needs, you should make an upgrade to 14.3 a high
priority.
Internet security is always a compromise (if you want the tightest
possible security, stay off the Internet), so in the end it's up to
you to weigh your risks and priorities. Yes, you are taking a risk if
you delay, but you have to decide how that risk measures in
comparison to your other priorities.
--
Francoise Becker <[log in to unmask]>
Knowledge is just a click away: http://www.lsoft.com/optin.html
|
